Re: SAM cracking
- From: Guillaume <Guillaume@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Nov 2007 14:56:03 -0800
Hi,
first of all thanks for the help. But it's not very usefull at all.
Since i work for a publi school our computers must be usable without having
to type in a bios password at boot. I'm not talking here about the password
to get in the BIOS! We also need to install some OS that the students are
administrator for the learning purpose. And we use Novell on our network. So
Active Directory is out of the question! Here's the details...
Any computer running any operating system can be accessed by someoneTrue indeed. But the way the local SAM is encrypted is very stupid to
with 1) physical access; 2) time; 3) skill; 4) tools.
bypass. Just download on torrents for example any rainbow tables and you then
just need the SAM file and a few minutes. You don't even need to be near the
pc you want to get in to do the cracking part. If Microsoft could implement a
true and more solid encryption like on Linux/Unix system with the
Salt+Encryption (see this:
http://tldp.org/HOWTO/Shadow-Password-HOWTO-2.html). It would help to block
any script kiddies to simply download a few files and crack the system!
1. Set a password in the BIOS that must be entered before booting theNot possible to use BIOS boot password. And we already use an BIOS
operating system. Also set the Supervisor password in the BIOS so BIOS
Setup can't be entered without it.
administrator password.
2. From the BIOS, change the boot order to hard drive first.We use floppy disk and cd to boot our pcs for "ghosting" so it's not possible.
3. Set strong passwords on all accounts, including the built-inAlready done. We use password of minimum 16 characters for any administrator
Administrator account.
accounts including letters, numbers and special characters. We also rename
the Administrator account and disable the LN manager hashe.
4. If you leave your own account logged in, use the Windows Key + L toWe never use our own account in the labs. We use special test accounts with
lock the computer (and/or set the screensaver/power saving) when you
step away from the computer and require a password to resume.
very limited privileges. We do that because of possible key loggers, root
kits, etc.
5. Make other users Limited accounts in XP Home, regular user accountsWe don't use Windows XP Home Edition anywhere.
in XP Pro.
6. Set user permissions/restrictions:Already done by different ways. For example, we use gpedit, local policy, etc.
So is there any other way we could encrypt the drive so that no boot cd or
other partition OS can copy the SAM file? Or is it a lost cause because the
way Windows XP is built isn't just secure enough? Don't want to sound rough
here just stating the facts. And yes it's possible to get the passwd file
from a linux OS. But at least the encryption is stronger than the joke
Windows XP Pro implement :-( Any new patch could help us maybie?
Thanks again for any help!
.
- References:
- Re: SAM cracking
- From: Malke
- Re: SAM cracking
- From: Brian Komar
- Re: SAM cracking
- Prev by Date: Re: SAM cracking
- Next by Date: RE: DomainService, fotomoto, vundo: Still Infected?
- Previous by thread: Re: SAM cracking
- Next by thread: Re: Profile exists for deleted account
- Index(es):
Relevant Pages
|
